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(57) ABSTRACT 

A method for managing user group information in a distrib- 
uted system comprising a heterogeneous server network. 
The method enables the establishment of a specified set of 
user groups on a managed server that are not controlled by 
a central server. Amechanism is provided to identify the user 
groups on the managed server, store the groups in a persis- 
tent location, and access the user groups during synchroni- 
zation processing. Synchronization of the persistent user 
groups at the managed server is done only upon consultation 
with the persistent account store. The result is a set of user 
groups on the managed server that can be used to maintain 
special access and privileges to the persistent user group at 
the managed server. 
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PERSISTENT USER GROUPS ON SERVERS 
MANAGED BY CENTRAL SERVERS 

BACKGROUND OF THE INVENTION 

1. Technical Field S 
The present invention relates generally to computer net- 
works and more particularly to the segregation of user 
groups within a server network which consists of a central 
server and a set of managed servers running native and 
non-native operating systems which allows for the creation 
and control of persistent user groups at the managed servers 
within a heterogeneous server network. 

2. Description of the Related Art 

The client-server model of computing is a well-known 
environment. In the model, the user of a computer utilizes a 
"client" system. The client system runs any of a number of 
computer operating systems to manage the basic functions 
that users execute (such as accessing files, executing 
programs, system administration and the like) as well as to 
serve as the base against which programs are written. 
Well-known client operating systems include Microsoft 
Windows 3.1, Windows for Workgroups, Windows 95, 
Windows 98, IBM® OS/2® Waip, Apple Macintosh, DOS, 
many variations of UNIX, and Microsoft Windows NT. The 
client system serves as the user's workstation, and it may 
execute programs as well as store some user data. 

The server system can also run any of a number of 
computer operating systems. Well-known server operating 
systems include Novell Netware, IBM OS/2 Warp Server, 30 
IBM AS/400®, Microsoft Windows NT, and many varia- 
tions of OSF UNIX. The server system is accessed by the 
client system for specific functions. The functions include, 
but are not limited to, storage and retrieval of data, storage 
and execution of applications, and storage of and access to 35 
user information. 

Server networks are increasingly becoming heteroge- 
neous due to differing problems that can be solved by 
different servers. User management in these environments 
requires the creation of different user accounts on the 40 
different types of servers. These user accounts eventually 
have different passwords and possibly different user I.D.'s. 
A mechanism is needed to allow a single user accoimt 
definition to be used as the base for any additional user 
accounts that exist in the network and for a set of user groups 45 
to be used as a base for additional user groups in the 
network. The mechanism needs to go beyond current tech- 
nology options and allow the accounts and groups on all 
servers to be continuously updated. While there are advan- 
tages to having common user accounts and user groups on 50 
the servers, the ability to have a set of user groups on the 
managed server that are independent of the central server is 
desirable. 

A common term used to refer to a network of related 
servers is a domain. Withm the server domain is a central 55 
server acting as the primary domain controller and a plu- 
rality of "managed" servers sometimes called secondary 
servers. Industry standards have been developed (for critical 
and common functions) to aid in the access from different 
types of client systems to different types of server systems. 60 
The use of these standards on the client and server afford 
users the opportunity to carry out functions in a consistent 
manner on a variety of common client and server operating 
systems. One of the activities that has been standardized is 
the "authentication" of users. Authentication refers to the 65 
process in which a user is validated as being able to 
complete a log-on and/or access a system. Standard pro to- 
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cols have been defined within the X/Open Server Message 
Block (SMB) specification and the Open systems Founda- 
tion (OSF) Distributed Computing Environment (DCE) 
specification. 

While many products and operating systems have been 
developed that utilize the standard protocols, not all prod- 
ucts have used the standards. When this occurs, either 
additional work must be done by the other operating system 
to implement the unique commands used by a vendor, or 
access to the other new system and/or product is not allowed 
if the unique commands are not made available to other 
vendors. When the commands and/or protocol are not made 
available, that aspect of the system and/or product is some- 
times characterized as being "closed". In regards to user 
management and authentication, the Microsoft Windows NT 
operating system is becoming an example of a closed server 
system that is used in many enterprise computer networks. 

Server networks are becoming increasingly heteroge- 
neous due to differing application requirements that arc 
solved by different types of servers. Once a server is 
established, it is desirable to enable access to it without 
having to manage it completely independent of other servers 
in the network that are already being utilized. The manage- 
ment of user group access and capability is difficult in a 
homogeneous server environment where all servers have a 
common native operating system and, heretofore, it has been 
virtually impossible to do so in a heterogeneous server 
environment where servers have native and non-native oper- 
ating systems. The present invention provides a mechanism 
to allow establishment of a base set of user groups on a 
central server in a network that are then used to create and 
maintain groups across a heterogeneous network of man- 
aged servers. The synchronization timing is controlled by 
the central server and can be done on a real time basis to 
ensure all servers in the heterogeneous server network are 
consistent. 

While there are many advantages associated with a net- 
work of managed servers being controlled by a central 
server, there are times when it is desirable to keep resources 
on an additional managed server and secure access to that 
using a user group based on user accounts or groups known 
only at that managed server Such would be the case when 
multiple common users, say payroll specialists, want to be 
managed as a group rather than individual users and data 
and/or functions need to exist on the managed server inde- 
pendent of the central server. A mechanism must exist to 
designate the user group as a persistent user the managed a 
specified server that are not updated by the central server in 
the server network. The invention provides a mechanism to 
identify the user groups on the managed server and a 
mechanism to exclude them from synchronization updates 
sent from the central server. This allows specific user groups 
on a managed server to have resources in which only they 
have access or privilege unique to members of the group 
which remain available independent of central server con- 
trolled synchronization. 

SUMMARY OF THE INVENTION 

It is a general object of this invention to provide segre- 
gation of user group account establishment and synchroni- 
zation on a central server. 

It is a more specific object to provide user group syn- 
chronization from a central server to a plurality of managed 
servers in a heterogeneous environment within the server 
network while preserving specific user groups at any man- 
aged server. 
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It is yet another object of the invention to provide specific 
user groups at managed servers resources exclusive to them. 
These user groups are independent of central server control. 

These and other objects, features and advantages are 
provided by a method for managing user group information 
in a distributed system comprising a heterogeneous server 
network. The method enables the establishment of a speci- 
fied set of user groups on a managed server that are not 
controlled by a central server. A mechanism is provided to 
identify the user groups on the managed server, store the 
groups in a persistent location, and access the user groups 
during synchronization processing. Synchronization of the 
persistent user groups at the managed server is done only 
upon consultation with the persistent account store. The 
result is a set of user groups on the managed server that can 
be used to maintain special access and privileges to the 
persistent user group at the managed server.q 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present inven- 
tion and the advantages thereof, reference should be made to 
the following detailed description taken in connection with 
the accompanying drawings in which: 

FIG. 1 depicts a computer system configured according to 
the teachings of the present invention; 

FTG. 2 is a block diagram of a representative computer 
network in which the present invention is implemented; 

FIG. 3 is a block diagram of the present invention wherein 
a log-on mechanism is provided in the client running a 
native operating system to facilitate authentication of a user 
of the client machine against an account held at a hetero- 
geneous server domain; 

FIG. 4 is a block diagram of a homogeneous network of 
servers; 

FIG. 5 is a block diagram of a heterogeneous sever 
domain having a plurality of managed servers; 

FIG. 6 is a block diagram of a central server managing 
data flow; 

FIG. 7 is a flow chart of the managed service start up; 

FIG. 8 is a flow chart illustrating managed service opera- 
tions; 

FIG. 9 is a representation of the general properties display 
screen used to manage services; 

FIG. 10 is a screen representation of the managed server 
definition on a managed server; 

FIG. 11 is a flow chart illustrating the setting of central 
server synchronization values; 

FTG. 12 is a flow chart illustrating user group establish- 
ment in synchronization in a server domain; 

FIG. 13 is a flow chart showing whole group synchroni- 
zation across a server domain. 

FIG. 14 is a flow chart of persistent user group establish- 
ment; and 

FIG. 15 is a flow chart showing persistent user group 
utilization. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

The invention may be run on a variety of computers or 
collection of computers under a number of different oper- 
ating systems. The computer could be, for example, a 
personal computer, a mini computer, mainframe computer or 
a computer running in a distributed network of other com- 
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puters. Although the specific choice of computer is limited 
only by disk and disk storage requirements, computers in the 
IBM PS/2 (TM) series of computers could be used in the 
present invention. One operating system which an IBM PS/2 

S personal computer may run is IBM's OS/2 2,0 (TM). 

In the alternative, the computer system might be in the 
IBM RISC System/6000 (TM) line of computers which run 
on the AIX (TM) operating system. The various models of 
the RISC System/6000 is described in many publications of 

10 the IBM Corporation. The AIX operation system is 
descri*bed in other publications of the IBM Corporation. 

While various computers in the computer networks can be 
used on the computer network by a client-server setup, FIG. 
1 is a common computer interface to the computer network 
wherein a computer 10 comprising a system unit 11, a 
keyboard 12, a mouse 13 and a display 14 are depicted in 
block diagram form. The system unit 11 includes a system 
bus or plurality of system buses 21 to which various com- 
ponents are coupled and by which communication between 
the various components is accomplished. The microproces- 
sor 22 is connected to the system bus 21 and is supported by 
read only memory (ROM) 23 and random access memory 
(RAM) 24 also connected to system bus 21. A micropro- 
cessor in the IBM PC series of computers is one of the Intel 
family of microprocessors including the 386,486 or Pentium 
microprocessors. However, other microprocessors 
including, but not limited to. Motorola's family of micro- 
processors such as the 68000, 68020 or the 68030 micro- 
processors and various Reduced Instruction Set Computer 
(RISC) microprocessors such as the PowerPC chip manu- 
factured by IBM may be used. Other RISC chips made by 
Hewlett Packard, Sun, Motorola and others may be used in 
the specific computer. 

25 The ROM 23 contains, among other codes, the Basic 
Input-Output System (BIOS) which controls basic hardware 
operations such as the interaction of the processor and the 
disk drives and the keyboard. The RAM 24 is the main 
memory into which the operating system and application 

40 programs are loaded. The memory management chip 25 is 
connected to the system bus 21 and controls direct memory 
access operations including, passing data between the RAM 
24 and hard disk drive 26 and floppy disk drive 27. The 
CD-ROM 32 also coupled to the system bus 21 is used to 

^5 store a large amount of data, e.g., a multimedia program or 
presentation. 

Also connected to this system bus 21 are various I/O 
controllers: the keyboard controller 28, the mouse controller 
29, the video controller 30, and the audio controller 31. As 

50 might be expected, the keyboard controller 28 provides the 
hardware interface for the keyboard 12, the mouse controller 
29 provides the hardware interface for mouse 13, the video 
controller 30 is the hardware interface for the display 14, and 
the audio controller 31 is the hardware interface for the 

55 speakers 15. An I/O controller 40 such as a Token Ring 
Adapter enables communication over a network 46 to other 
similarly configured data processing systems. 

As described above, one of the preferred implementations 
of the invention is as sets of instructions 48-52 resident in 

60 the random access memory 24 of one or more computer 
systems configured generally as described above. Until 
required by the computer system, the set of instructions may 
be stored in another computer readable memory, for 
example, in the hard disk drive 26, or in a removable 

65 memory such as an optical disk for eventual use in the 
CD-ROM 32 or in a floppy disk for eventual use in the 
floppy disk drive 27. Further, the set of instructions can be 
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Stored in the memory of another computer and transmitted in network*' is commonly used to describe an environment in 

a transmission medium over a local area network or a wide which the client operating system and server operating 

area network such as the Internet when desired by the user. system are different. This type of environment is common in 

One skilled in the art would appreciate that the physical the client-server model. In contrast, the term "homogeneous 

storage of the sets of instructions physically changes the 5 client-server network*' is commonly used to describe an 

medium upon which it is stored electrically, magnetically, or environment in which the client operating system and server 

chemically so that the medium carries computer readable operating system are the same. 

information. While it is convenient to describe the invention ^ 

in terms of instructions, symbols, characters, or the like, the ^ non-native server domain is typically supported on a 

reader should remember that all of these and similar terms non-natiye server. Thus, where the user seeks authentication 

should be associated with the appropriate physical elements. / Windows NT client, a non-native server domain 

Further, the invenUon is often described in terms that ^^^^^'^^ "^''^^^ ^"""f ""^^tp^^^ T T^" nr^ 

could be associated with a human operator. While the ^^^^'t^ .^^^^ 

, . . ^ , . , Cell in which Distributed File System (DFS) is 

operations performed may be m response to user input, no . , , , , j • . tt»tt^ 

-.Mi^r. u.r C «f tu^ implemented, or other known domains such as UNIX 

action by a human operator is desirable in any or the , ^ . Tn.- • -n * * j • n^-^ /^i? .i_ 

*' J u J u • u- u f ^ c . domains. This is illustrated in FIG. 3. Of course, the com- 

operations descnbed herein which form part of the present , , . 1 • 1 j ^ir- ^ vn- 

invention* puter network can also mclude a Windows NT server 

^* , , . domain 112a if authentication is sought from a native server 

FIG. 2 illustrates a computer network having one or more domain 

"client" machines 110 and one or more "servers" 112. A .* , „ , 

typical client machine 110a is a personal computer or 20 «u heterogeneous client-server networks and 

workstation running an Intel processor 114 and the homogeneous client-server network are part of the envi- 

Microsoft Windows NT 4.0 operating system 116. For this mvention, they are not specific to it. Tins 

convenience herein, a machine configured in this manner is i^venUon is specific to the rietwork of servers. In parUcular. 

sometimes referred to as a "Windows NT client" Any other ^^^^ ^° ^ ^^^^ f ^^^^^ consistmg of a central server 

type of hardware platform that runs Windows NT operating 25 ^ of managed servers. The managed servers can be 

system may be used as the client. According to the present ^^^^^^ ^^^^^^^ ^^^^^ non-native to the central 

invention, the client also includes an application 118, which server. 

provides certain additional functionality to achieve the In the described embodiment, the central server is an OS/2 

objects of the present invention. Each client has basic Warp Server managing a heterogeneous mix of OS/2 servers 

networking hardware to establish a connection out to a 30 and Windows NT servers. One of ordinary skill in the art 

server. Thus, for example, a cHent may have a TCP/IP or should appreciate that teachings of this invention are also 

NETBIOS connection to the network running over a token applicable where the server is running other types, native or 

ring or Ethemct adapter. non-native servers within the server domain. The present 

Typically, a server in the computer network is another invention operates in a network where a single user account 

personal computer or workstation platform that is Intel, 35 F'^'^P ^"""^ '^"^^^ is used as the basis to 

Power PC® or RISC® based, and includes an operating ^^^^^e the correspondmg user account or user group on 

system such as Windows NT 4.0, IBM® OS/2® Warp different type of managed server. After estabhshment of the 

Server, AIX® or the like. At least one server 112a in the ^^^^^^ e^^^P' ^he central server where the initial 

computer network is the central server and executes the base ^^^^^t was established will ensure all account updates are 

operating system or subsystem which is termed "native". 40 r^Plicated to the managed servers on a real time basis. 

This "native" system could be an IBM OS/2 Warp Server, FIG- 4 is a block diagram representing a high level 

which is sometimes referred to as a "Warp Server". A server operation of the present domain server network having a 

112 is said to be "native" if it is running the same operating central server 140 with a native operating system 141, user 

system as the server 112a, A "non-native" server is thus a accounts 142, server network definition 151 and managing 

server platform (e.g., a personal computer) running an 45 service 153. Central server 140 controls homogeneous man - 

operating system or subsystem that is different than the ^g^d servers 144 and 148. Within managed server 144 is a 

operating system running on the server system 112a. Given native operating system 145, synchronized user accounts 

an IBM OS/2 Warp Server as 112a, examples of such 146 and managed service 154. Likewise managed server 148 

"non-native" servers include, without limitation, Microsoft has a native operating system 148, synchronized user 

Windows NT Server, Novell Netware Server, other types of 50 accounts 150 and managed service 155. The central server 

server Message Block (SMB) servers, as well as operating 1^ can manage a multiplicity of servers such as servers 144 

systems that run Open Systems Foundation (OSF) Distrib- and 148 having a native OS operating system and synchro- 

uted Computing Environment (DCE) software. An example nized user accounts and managed service, 

of the latter is a DCE Cell running Distributed File System The server network is defined in the central server by 

(DFS). 55 server network definition 151. The server network definition 

In the prior art, a mechanism exists to allow a user at 151 provides the network definition required to link the 

chent system 110a to authenticate to a server domain using servers together. It consists of a table of "addresses" that are 

a user account held at that domain. As seen in FIG. 3, the used to direct and receive communications between specific 

module GINA 115' ("graphical identification and servers in a network. Whether a broadcast mechanism like 

authorization") is registered on the example Windows NT 60 NETBIOS or a more directed mechanism like TCP/IP is 

client. This enables the Windows NT client user to be used for communication, the appropriate network addresses 

authenticated against an account held at a native or non- would be included in the table. One skilled in the art would 

native server domain 119. As used herein, a "non-native recognize that portions or all of the server network definition 

server domain" refers to a database of user account infor- could be stored at the managed server(s) and/or the central 

mation retained at a given server running an operating 65 server. 

system that is different than the operating system running at Similarly the managing service 153 is used to control a 

the client system. The term "heterogeneous client-server managed service 154 within managed server 144 and 148. 
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The managing service 153 and managed services 154 and In operation, central server 140 sends informalion called 

155 provide the mechanism to synchronize user accounts. maiklot broadcasts to the network from a network commu- 

Managing service 153 and managed service(s) 154 and nication mechanism 162, as shown in FIG. 6, to the managed 

155 are the core components used to manage the user server 156, while also responding to requests received from 
accounts across the servers. In a "homogeneous server 5 managed servers m the network. Through the network 

network" where the servers utilize the same native operating """fS^" are used to provide requests and 

. . 1 * J *u u % responses to the managed service 159 within the managed 

system, the services are miplemcnted through usage of ^^^^^ 156. Auser account subsystem containing a database 

common support that exists on each server. In addition, user ^^^^^ maintained in user account recor(^ 163. Also 

accounts 142 and synchrom^d user accounts 146 are com- resident in the central server 140 is the managing service 164 
monly created, updated, and deleted while containing the lo ^^at was described in detail as mechanism 153 in FIG. 5. 

same information in each. Central server 140 and managed server 156 make specific 

Prior art exists for user account synchronization in the functional requests through application programming inter- 

"homogeneous server network". User account management faces (API) which specify requests and responses as 

commands are sent between the central server 140 and the described in FIG. 5. 

managed server(s) 144 and 148. Since the same commands To enable the receipt and processing of requests sent from 

(application programming interfaces) exist on both servers the central server, a mechanism is required to start the 

in a "homogeneous server network*', the services are there to managed service on the managed server. Once started, the 

support the remote command execution between servers. An managed service continuously awaits status updates and 

example of this is an IBM OS/2 Warp Server created as a requests. Shown in FIG. 7, a service control manager is 

Primary Domain Controller which would be a central server required on the managed server. Either when the managed 

and an IBM OS/2 Warp Server created as an additional server is started or through a request for a user with 

server which would be a managed server. capabilities, the managed service is started in 

. ^ . . . , step 182. Followmg the starting of the service, settmgs that 

Shown m FIG. 5, central server 140 havmg a required ^^^^^^ operation of the service are initialized in step 

operating system 141, user accounts defined in 142, a server ig^ These settings are described in FIG. 12. To allow the 

network definition 151 and a managing service 153. The service to respond to commands issued by the administrator 

central server 140 now manages a managed server 144 a mechanism must be established. In step 184, a thread in the 

having a native operating system 145, synchronized user operating system is launched to allow the service to recover 

accounts 146, and a managed service 154, as well as commands as shown in step 185. Commands include the 

heterogeneous server 156 having a non-native operating changing of settings, slopping the service, and starting the 

system 157, synchronized user accounts 158 and a managed service. 

service 159. In the described embodiment, the native oper- ^j^e that the service control manager thread 

ating system is an IBM OS/2 Warp Server and the non-native ^ Punched in step 184 of FTG. 7, the main operational 

operating system is a Microsoft Wmdows NT server. ^^pp^^^ ^^^^^^ managed server. FIG, 8 

Similar to the "homogeneous server network", managing 35 shows the steps to establish operational support. A thread or 

service 153 and managed service(s) 154 and 159 are the core equivalent mechanism is started on the managed server as in 

components used to manage the user accounts across the step 186, Amailslot or similar communication mechanism is 

servers in the "heterogeneous server network". In a "het- then established at the server in step 188 to enable commu- 

erogeneous server network" where the servers utiHze native nication with the central server. To monitor status from the 

OS such as 145 and non-native OS such as 157, common central server, them ailslot or similar communication mecha- 

support docs not exist on each server. With no common nism must be checked on a regular interval Step 190 

support guaranteed between the central server and the man- includes the process of checking on a regular basis. For each 

aged serv6r(s), a new and unique mechanism is required to server in the heterogeneous server network, the communi- 

enable the establishment and synchronization of user cation support must be implemented as appropriate for the 
accounts between the unlike servers. 45 non-native OS. Steps 192 and 194 introduce the receipt and 

Managing service 153 and managed service 159 represent processing of user account requests from the central server, 

the situation where the servers are different with one using The main worker thread shown in step 186 is used to execute 

a native OS and one using a non-native OS. Managing those steps which are detailed in FIG. 12 through FIG. 15, 

service 153 is responsible for determining what each man- and are implemented for each heterogeneous network server, 
aged server requires and delivering it in a format that can be 50 The establishment of the managed service at the network 

used at the managed server 156. This involves the tracking server can be through local administration as shown in the 

of user account changes, packaging of the changes in a screen printout of the managed service screen shot shown in 

known format, and sending them to the correct managed piG. 9 and FIG. 10. To define the service which must be 

server when required. In the described embodiment, the active to enable the ongoing synchronization of user 
central server 140 is an IBM OS/2 Warp Server and the user 55 accounts, the service is installed on the server that is to be 

account changes are packaged in the same format as used to managed. The method and display of the service may differ 

synchronize to a managed server 144 that is also an IBM by the type of heterogeneous server in the network, and FIG. 

OS/2 Warp Server. 9 shows the service in the described embodiment of a 

Managed service 159 is responsible for implementation of Microsoft Windows NT server as a managed server. Com- 
support to maintain communication with central server 140. 60 munication between a central server and the managed serv- 
The service receives the account changes, determines what ers is required. In FIG. 9 the managed service which is called 
has been changed with the user account, and implements the "IBM Networks User Account Manager", is established as 
correct set of application programming interface calls to part of the Network portion of the server. Additional settings 
effect the changes for the synchronized user accounts 158 on can be established through properties associated with the 
the managed server 156. The mechanism to do this will be 65 managed service. Synchronization of the clock on the man- 
different for each non-native OS and is detailed in later aged server with the central server clock is one of the 
figures. settings that is made. 
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FIG. 10 shows additional controls used for the managed update, step 318 is executed and the service issues the 

service on the managed server. For synchronization of user appropriate API call on the managed server causing the user 

accounts to be in effect, the managed service must be active. group to be read and updated on the managed server. If the 

In FIG. 10, the screen shot of the screen used by the request is to delete, step 316 is executed and the service 

administrator to control the service is shown. The method to S issues the appropriate API call or the managed server to 

start can either be manual or automatic. The status of the cause the user group to be deleted from the user account 

service should also be able to be retrieved to allow the database on the managed server. This series of operations 

administrator to know whether synchronization is active. continues on the managed server until the read records from 

The status column in FIG, 10 is an example of a status group update records 310 is complete which occurs when all 

display. lo records have been processed. 

To establish and control the managing service on the The managed service is responsible for receiving the user 
central server, the server must be accessed with administra- group records file in step 320 of FIG. 13 that contains all 
tive privilege as shown in step 200 of FIG. 11. The managing user groups from the central server. To ensure aU group 
service needs to exist on the server and in the case of the definitions on the managed server are consistent with the 
described embodiment of the central server being in IBM 15 group definitions on the central server, the managed service 
OS/2 Warp Server, it is the LAN manager service used for running on the managed server issues the API calls appro- 
homogeneous servers. Step 202 shows the access to the priate for the managed server to delete all user groups from 
settings that control operation of the managing service. The the group account database on the managed server as shown 
actual settings are done in step 204. Settings that are needed in step 322. Following deletion of the groups, each of the 
include the interval that status updates (described as pulses) records received from the central server are read in step 324. 
are exchanged from the central server to the managed The managed service is then responsible for issuing the API 
server(s), and how much difference is allowed between the call appropriate for the managed server to create a group 
servers. The combination of these settings determine how based on the information received from the central server as 
frequently updates occur to synchronize the user accounts shown in step 326. The group creation includes associating 
between servers. ^ the user accounts defined as part of the group with the group 

The present invention addresses the problem of managing definition. Each record is read and processing is complete 
user group access and capability in a server network that when the last record has been processed, 
contains a heterogeneous set of native and non-native serv- While central control of a server network is often 
ers. Server networks are becoming increasingly heteroge- desirable, there are situations when a local administrator has 
neous due to differing application requirements that are '^^ some secure data they do not want to disturb or the admin- 
solved by different types of servers. istrator may need a user group that is unique to the managed 

For user group establishment and synchronization, the server for unique administrative control. For these and other 

groups must first be created on the central servers. This situations, there is a need to have specific user groups kept 

invention is not directed to the initial creation or updating of constant at a managed server. The present invention creates 

groups on the central server. Existing means that are part of ^ mechanism in which an individual with the proper privi- 

the native operating system or subsystem are used for the leges at the managed server can designate one or more user 

creation and update. groups that will be managed independent of the central 

To establish user groups and provide for synchronization, ^^^^^^^ S^^^^^ S^^^P^ managed 
the managed server receives a status update record from the 40 '^"^'^ ^ controlled by the central server while preserving 
central server as in step 300 in FIG. 12. A return request for ^P^^^^^^ 6^°^?^ managed server. Special user 
needed update records is then sent from the managed server ^^^^^^^^ ^^^^^ mamtamed at the managed server and 
to the central server as shown in step 302. The central server associated with the persistent user groups on the server, 
determines whether a delta update should be done since the This is accomplished by referring to FIG. 14 wherein an 
last update or if a full synchronization needs lo be made in 45 individual with administrative privilege accesses the man- 
step 304. The determination should be based on the number ^^g^d server in step 400. In step 402 a management screen is 
of records that will be required to update the managed displayed to enable the administrator to select the persistent 
server. If the number of updates is large, it should be groups. The administrator in step 404 selects the set of 
determined that a full synchronization will be done. If only ^ser accounts that will be persistent on the managed server, 
an incremental or delta update needs to be made, the 50 FIG. 9 shows an example of the management screen used in 
managed server receives user group update records from the the described embodiment. The user groups are selected in 
central server as per step 306. Since the user group format ^^e box titled "Persistent Groups." An entry is created on the 
and method to define and access user groups differs for each managed server for the group in a persistent account store as 
type of server, the managed service is responsible for shown in step 408. If the user group is not locally defined on 
determining and issuing the API calls to access the user 55 managed server then it is not made persistent and it 
groups and read the individual records. Access to the user continues to be maintained by the central server. After all 
group records on the managed server is then made in step ^ser groups that have been selected to be persistent are 
308. This is done by the managed server when it determines processed, the actions are completed, 
account updates are required. The record is read from group The persistent user groups must be accessed during syn- 
update records in step 310 by the managed service using chronizalion initiated by the central server. These accounts 
APFs that exist on the heterogeneous managed server. must be excluded from the changes that arc potentially 

Once the record is read, the managed service makes the requested for a user group. Step 410 in FIG. 15 reflects the 

determination in step 312 to add, update, or delete the user initiation of the synchronization processing at the managed 

group account. If the request is to add, the service is server. Step 300 of FIG. 12 is an example of the initiation of 

responsible for using the API call appropriate on the server 65 synchronization processing. 

to add the user group to the user account database on the To determine the user groups that are persistent on the 

managed server as shown in step 314. If the request is to managed server, the persistent account store must be 
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accessed on the managed server as in step 412, Each entry 
or record from the persistent account store on the managed 
server must be read. Step 414 shows the reading of a record 
from the persistent account store. Prior to delta update 
processing as shown in step 306 of FIG. 12 or the full 5 
synchronization processing as shown in step 320 of FIG. 13, 
the user groups on the managed server must be masked. By 
masking the user group records, the managed service can 
exclude them during synchronization processing which will 
retain the existing user group informatibn. lo 

During the user group synchronization, each user account 
synchronization request is processed as shown in step 418. 
When the user group request received from the central 
server matches a persistent user group on the managed 
server as shown in step 420, the user group synchronization is 
request is discarded. By discarding the changes for the user 
groups, they remain persistent at the managed server and are 
unchanged by central server actions. 

While the invention has been shown and described with 
reference to particular embodiments thereof, it will be 
understood by those skilled in the art that the invention can 
be practiced, with modification, in other environments. For 
example, although the invention described above can be 
conveniently implemented in a general purpose computer 
selectively reconfigured or activated by software, those ^ 
skilled in the art would recognize that the invention could be 
carried out in hardware, in firmware or in any combination 
of software, firmware or hardware including a special pur- 
pose apparatus specifically designed to perform the 
described invention. Though two managed servers were 
shown and described a multiplicity of managed servers may 
be controlled by a central server. Therefore, changes in form 
and detail may be made therein without departing from the 
spirit and scope of the invention as set forth in the accom- 
panying claims. 

What is claimed is: 

1. In a client server computer network comprised of a 
central server, and a plurafity of managed servers, and in 
which network full synchronization of managed server 
records is controlled by said central server, a method for ^° 
synchronization of user records on managed servers with 
user records on said central server, including the steps of: 

sending a status update pulse from the central server lo 
managed servers on the network; 
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sending, in response to said pulse update record, a return 
request from a managed server to the central server for 
update records; 

sending, in response to said return request, from said 
central server to said managed server, an update record 
request or a request for full synchronization; 

defining at the managed server a set of user records locally 
on the managed server to be persistent accounts on this 
managed server; 

excluding at the managed server from potential changes 
on the managed server, as a result of a central server 
full synchronization request, those user records that 
have been defined as persistent accounts. 

2, The computer as recited in claim 1, wherein the native 
operating system is IBM OS/2 and the non-native operating 
system is Windows NT. 

3. In a chenl server network comprised of a central server, 
a plurality of managed servers at least some of which 
managed servers are non-native with respect to said central 
server, and in which network user group records are estab- 
lished and are updated on said central server, a method for 
synchronization of user group records on managed servers in 
said network with user group records on said central server, 
including the steps of: 

sending a status update pulse from the central server to 
managed servers on the network; 

sending, in response to said status update pulse, a return 
request from a non-native managed server to the central 
server for update records; 

sending, in response to said return request, from said 
central server to said non -native managed server, an 
update records request or a request for full synchroni- 
zation; 

defining at the non-native managed server a set of user 
records locally on the non-native managed server to be 
persistent accounts on this non-native managed server; 

excluding at the non-native managed server from poten- 
tial changes on the non-native managed server, as a 
result of a central server full synchronization request, 
those user records that have been defined as persistent 
accounts. 
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